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Abstract: The Sybil attack in unknown port networks such as wireless is not 
considered tractable. A wireless node is not capable of independently differentiating 
the universe of real nodes from the universe of arbitrary non-existent fictitious nodes 
created by the attacker. Similar to failure detectors, we propose to use universe 
detectors to help nodes determine which universe is real. In this paper, we (i) 
define several variants of the neighborhood discovery problem under Sybil attack 
(ii) propose a set of matching universe detectors (iii) demonstrate the necessity of 
additional topological constraints for the problems to be solvable: node density 
and communication range; (iv) present SAMT) — an algorithm that solves these 
problems with the help of appropriate universe detectors, this solution demonstrates 
that the proposed universe detectors are the weakest detectors possible for each 
problem. 

Key-words: Sybil attack, wireles network, unverse detector 
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Detecteurs d'Univers pour la Defense contre les 
Attaques Sybilles dans les Reseaux Ad Hoc Sans Fil 



Resume : Le probleme de l'attaque Sybille dans les reseaux a ports inconus comme 
les reseaux sans fil n'est pas considere comme soluble. Un nceud sans fil n'est pas 
capable de differencier par lui meme un univers de nceuds reels d'un univers de 
nceuds fictifs cree par un attaquant. 

De maniere similaires aux detecteurs de defaillances, nous proposons d'utiliser 
des detecteurs d 'univers pour aider les nceuds a determiner quel univers est reel. 
Dans cet article, nous (i) definissons plusieurs variantes du probleme de decouverte 
de voisinage en presence d'attaques Sybilles; (ii) nous presentons un ensemble de 
detecteurs d'univers correspondants; (Hi) nous prouvons la necessite d'utiliser des 
contraintes topologiques supplementaires pour que le probleme devienne soluble: la 
densite des nceuds et la portee de communication; (iv) nous presentons SANV, 
un algorithme distribue qui resoud les problemes proposes a l'aide des detecteurs 
d'univers appropries, et montrons que les detecteurs d'univers sont les plus faibles 
possibles pour chaque probleme. 

Mots-cles : Attaque Sybille, reseau sans fil, detecteur d'univers 
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1 Introduction 

A Sybil attack, formulated by Douceur [9], is intriguing in its simplicity. However, 
such an attack can incur substantial damage to the computer system. In a Sybil 
attack, the adversary is able to compromise the system by creating an arbitrary 
number of identities that the system perceives as separate. If the attack is success- 
ful, the adversary may either overwhelm the system resources, thus channeling the 
attack into denial-of-service [25], or create more sophisticated problems, e.g. routing 
infrastructure breakdown |12j . 

Ad hoc wireless networks, such as a sensor networks, are a potential Sybil attack 
target. The ad hoc nature of such networks may result in scenarios where each node 
starts its operation without the knowledge of even its immediate neighborhood let 
alone the complete network topology. Yet, the broadcast nature of the wireless 
communication prevents each node from recognizing whether the messages that it 
receives are sent by the same or different senders. Thus, an attacker may be free 
to either create an arbitrary number of fictitious identities or impersonate already 
existing real nodes. The problem straddles the security and fault tolerance domains 
as the attacker may be either a malicious intruder or a node experiencing Byzantine 
fault. A fault is Buzantine [14] if the faulty node disregards the program code and 
behaves arbitrarily. For convenience, in this paper we assume that the attacker is a 
faulty node rather than intruder. 

Problem motivation. A standard way of establishing trust between communi- 
cating parties is by employing cryptography. There is a number of publications 
addressing the Sybil attack in this manner [HI [TBI EE G31 [26j ETJ [29]. For example, 
if each node has access to verified certificates and every sender digitally signs its 
messages, then the receiver can unambiguously determine the sender and discard 
superfluous identities created by the faulty node by checking the digital signature 
of the message against the certificates. However, there are several reasons for this 
approach to be inappropriate. A cryptography-based solution pre-supposes a key- 
based infrastructure which requires its maintenance and update and thus limits its 
applicability. Moreover, resource constrained devices, such as sensor nodes in sensor 
networks, may not be able to handle cryptographic operations altogether. 

Another approach is intrusion detection based on reputation [TJ El [11] . Due 
to the broadcast nature of wireless communication, the messages from each node 
are observed by its neighbors. A fault is detected if the node deviates from the 
protocol. It is unclear how reputation-based schemes would fare if the messages 
cannot be matched to the sender: the faulty node may impersonate other nodes 
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or create an arbitrary number of fictitious nodes and set up its own alternative 
reputation verification network. 

However, there are two unique features of wireless communication that make 
defense against the Sybil attack possible. The wireless communication is broadcast. 
Thus, the message transmission of a faulty node is received by all nodes in its 
vicinity. In addition, the nodes can estimate the received signal strength (RSS) of 
the message and make judgments of the location of the sender on its basis. Note 
that the latter is not straightforward as the faulty node can change its transmission 
signal strength (TSS). In this paper we investigate the approaches to Sybil defense 
using this property of wireless communication. 

Related literature. Newsome et al [18] as well as Shi and Perrig [22] survey various 
defenses against the Sybil attack. They stress the promise of the type of technique 
we consider. Demirbas and Song [7] consider using the RSS for Sybil defense. 

A line of inquiry that is related to Sybil defense is secure location identification [21 
CG2 CESl [2D [23] . In this case, a set of trusted nodes attempt to verify the location 
of a possibly malicious or faulty node. However, the establishment of such trusted 
network is not addressed. Hence, this approach may not be useful for Sybil defense. 

Delaet et al [6 J , and Hwang et al [10] consider the problem where the faulty node 
operates synchronously with the other nodes. Delaet et al [6] provided examples of 
positioning of faulty nodes and their strategies that lead to neighborhood discovery 
compromise. Note that the synchrony assumption places a bound on the number of 
distinct identities that the faulty node can assume before the correct nodes begin 
to counter its activities. Even though the faulty node may potentially create the 
infinite number of fictitious identities, the correct nodes have to deal with no more 
than several of them at a time. However, this approach simplifies the problem as it 
limits the power of the faulty node and the strength of the attack. 

Nesterenko and Tixeuil [17] describe how, despite Byzantine faults, every node 
can determine the complete topology of the network despite once each node recog- 
nizes its immediate neighbors. Thus, to defend against the Sybil attack it is sufficient 
to locally solve Byzantine-robust neighborhood discovery. 

Note that the problem is trivial when the ports are known. In this case, the 
receiver may not know the identity of the transmitter of the message but can match 
the same transmitter across messages. This prohibits the faulty node from creating 
more than a single fictitious identity or impersonating other real nodes and allows 
a simple solution. 

Our approach and contribution. We consider the problem of neighbor identifi- 
cation in the presence of Byzantine nodes. The nodes are embedded in a geometric 
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plane and know their location. They do not have access to cryptographic opera- 
tions. The nodes can exchange arbitrary messages, but the only information about 
the message that the receiver can reliably obtain is its RSS. We consider the asyn- 
chronous model of execution. That is, the execution speed of any pair of nodes in 
the network can differ arbitrarily. This enables the faulty node to create an arbitrary 
number of fictitious identities or impersonate the correct nodes in an arbitrary way. 
Moreover, in this model, the only unique identities that the nodes have are their 
coordinates. Hence, the objective of each node is to collect the coordinates of its 
neighbors. We focus on local solutions to the neighborhood discovery. That is, each 
node only processes messages from the correct neighbors within a certain fixed dis- 
tance. We do not consider a denial-of-service attack or jamming attack [25], where 
the faulty nodes just overwhelm resources of the system by continuously transmit- 
ting arbitrary messages. We assume that the network has sufficient bandwidth for 
message exchanges and the nodes have sufficient memory and computing resources 
to process them. To the best of our knowledge, this is the most general model of 
Sybil defense considered to-date. 

In Section [2] we provide details for our execution model and formally state several 
variants of the neighborhood discovery problem. Sections [4] [H and [6] outline the 
boundaries of the achievable. In Sectional we formally prove that this problem is not 
solvable without outside help. Intuitively, the faulty node may create a universe of 
an arbitrary number of fictitious identities whose messages are internally consistent 
and the correct node has no way of differentiating those from the universe of correct 
nodes. In Section [U we introduce universe detectors as a way to help nodes select 
the correct universe. The idea is patterned after failure detectors [5J. Just like failure 
detectors, universe detectors are not implementable in asynchronous systems. How- 
ever, they provide a convenient abstraction that separates the concerns of algorithm 
design and implementation of the necessary synchrony and other details that enable 
the solution to Sybil defense. However, unlike failure detectors, universe detectors 
alone are insufficient to allow a solution to the neighborhood discovery problem. If 
the density of the network is too sparse, the faulty nodes may introduce a fictitious 
identity such that the detector is rendered unable to help the correct nodes. In 
Section [5l we prove the necessary condition for the location of the correct nodes to 
allow a solution to the neighborhood discovery problem. However, the faulty node 
may still be able to compromise the operation of correct nodes. For that, a faulty 
node may assume the identity of a correct node and discredit it by sending incorrect 
messages to other nodes. In Section [6] we prove another necessary condition for the 
minimum transmission range of correct nodes that eliminates this problem. 
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In Section[7]we present a Sybil-attack resilient neighborhood discovery algorithm 
SANT) that uses the universe detectors to solve the neighborhood discovery problem 
provided that the necessary conditions are met. In their study of failure detectors 
Chandra et al [3] defined the weakest failure detector as the necessary detector 
to solve the problem that they are deployed to address. With the introduction of 
SAMV, we show that the employed detectors are the weakest detectors necessary to 
solve the neighborhood discovery problem. In Section EJ we conclude the paper by 
discussing the implementation details of the algorithm and the attendant universe 
detectors. 

2 Computation Model Description, Assumptions, No- 
tation and Definitions 

A computer network consists of nodes embedded in a geometric plane. Each node is 
aware of its own coordinates. A (node) layout is a particular set of nodes and their 
locations on the plane. Unless explicitly restricted, we assume that the node layout 
can be arbitrary. Any specific point on the plane can be occupied by at most one 
node. Thus, the node's coordinates on the plane uniquely identify it. The nodes 
have no other identifiers. For ease of exposition, we use identifiers at the end of 
the alphabet such asiioru to refer to the particular locations or non-faulty nodes 
occupying them. We use / and k respectively to refer to a faulty node and a location 
where the faulty node may pretend to be located. The distance between u and v is 
\uv\. The neighborhood set or just neighborhood of a node u is a set of nodes whose 
distance to u is less than a certain fixed distance d n . 

Program model. We assume the asynchronous model of algorithm execution. 
That is, the difference between the execution speed of any pair of nodes can be 
arbitrarily large. Note that this asynchrony assumption allows any node, including 
a faulty one, to send an arbitrary number of messages before other nodes are able to 
respond. The nodes run a distributed algorithm. The algorithm consists of variables 
and actions. A (global) state of the algorithm is an assignment of values to all its 
variables. An action is enabled in a state if it can be executed at this state. A 
computation is a maximal fair sequence of algorithm states starting from a certain 
prescribed initial state sq such that for each state s,, the next state Sj+i is obtained 
by atomically executing an action that is enabled in Si . Maximality of a computation 
means that the computation is either infinite or terminates where none of the actions 
are enabled. In other words, a computation cannot be a proper prefix of another 
computation. Fairness means that if an action is enabled in all but finitely many 
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states of an infinite computation then this action is executed infinitely often. That 
is, we assume weak fairness of action execution. During a single computation, node 
layout is fixed. 

Nodes can be either correct or faulty (Byzantine). A faulty node does not have 
to follow the steps of the algorithm and can behave arbitrarily throughout the com- 
putation. 

Node communication. Nodes communicate by broadcasting messages. As the dis- 
tance to the sender increases, the signal fades. We assume the free space model [20] of 
signal propagation. The antennas are omnidirectional. The received signal strength 
(RSS) changes as follows: 

R = cT/r 2 (1) 

where R is the RSS, c is a constant, T is the transmitted (or sent) signal strength 
(TSS), and r is the distance from the sender to the receiver. We assume that r cannot 
be arbitrarily small. Thus, R is always finite. There is a minimum signal strength 
Rmin at which the message can still be received. There is no message loss. That is, if 
a message is sent with TSS — T", then every node within distance r' = w cT'/R m i n 
of the sender receives the message. We do not consider interference, hidden-terminal 
effect or other causes of message loss. We assume that every correct node always 
broadcasts with a certain fixed strength T r . A range r t is defined as y 7 cT r /R m i n . 
The relation between range rt and neighborhood distance d n is, in general, arbitrary. 
A faulty node may select arbitrary TSS. If a node receives a message (i.e. if the RSS 
is greater than Rmin)-, then the node can accurately measure the RSS. 

To simplify the exposition we assume that the nodes transmit three types of 
messages: (i) u transmits announce, this message has only the information about u 
and carries it's coordinates; the purpose of an announcement is for u to advertise its 
presence to its neighbors; (ii) u transmits confirm of another node v 's transmission; 
(iii) u transmits conflict with another node v's transmission if its observations do not 
match the location or the contents of v's message. The original message is attached 
in confirm and conflict. Every message contains the coordinates of the sender. 
Fictitious nodes and conflicts. Since the only way to unambiguously differen- 
tiate the nodes is by their location, the objective of every node is to determine the 
coordinates of its neighbors. Faulty nodes may try to disrupt this process by making 
the correct node assume that it has a non-existent neighbor. Such a non-existent 
neighbor is fictitious. A node that indeed exists in the layout is real. Note that a 
real node can still be either correct or faulty. Faulty nodes may try to tune their 
TSS and otherwise transmit messages such that it appears to the correct nodes that 
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the message comes from a fictitious node. Moreover, the faulty nodes may try to 
make their transmissions appear to have come from correct nodes. 

As a node receives messages, due to the actions of a faulty node, the collected 
information may be contradictory. A conflict consists of a message of any type 
purportedly coming from node k, yet the received signal strength at node u does 
not match \uk\ provided that the signal were broadcast from k with the TSS of T r . 
A conflict is explicit if u receives this conflicting message. Note that the RSS may 
be so low that u is unable to receive the message altogether, even though the RSS 
at u should be greater than R m in in case the message indeed come from k and be 
broadcast at T r . In this case the conflict is implicit. To discover the implicit conflict 
u has to consult other nodes that received the conflicting message. If u detects a 
conflict it sends a conflict message. 

A universe is a subset of neighbors that do not conflict. That is, a universe at 
node u contains nodes v and w whose announcements u received such that u did 
not receive a conflict from v about w or from w about v. Note that due to conflicts 
the information collected by a single node may result in several different universes. 
A universe is real if all nodes in it are real. A universe is complete for a node u if it 
contains all of it's correct neighbors. Note that even though a faulty node is real, it 
can evade being added to universes by not sending any messages. Hence, a complete 
universe is not required to contain all the real nodes, just correct ones. 
Program locality. To preserve the locality of a solution to the neighborhood 
discovery problem, we introduce the following requirement. Each node ignores in- 
formation from the nodes outside the range r t and about the nodes outside the 
neighborhood distance d n . 

Problem statement. We define several variants of the problem. The strong neigh- 
borhood discovery problem SNW requires each correct node u to output its neigh- 
borhood set according to the following properties: 

safety — if the neighborhood set of u is output, the set contains only all correct 
nodes and no fictitious nodes of it's neighborhood; 

liveness — every computation has a suffix in whose every state u outputs a neigh- 
borhood set that contains all correct neighbors of u. In other words, u even- 
tually outputs its complete neighborhood set. 

This problem definition may be too strict. Some correct nodes may be slow in 
announcing their presence. However, the safety property of SNW requires each 
node to wait for its slow neighbors before outputting the neighborhood set. Hence, 
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we define the weak neighborhood discovery problem WAfW. This problem relaxes 
the safety property to allow the output neighborhood set to contain a subset of 
correct neighbors of u. Note that the presence of the fictitious nodes in the output is 
still prohibited. Also note that the liveness property requires that the neighborhood 
set of u in WNW eventually contains all correct neighbors. Further relaxation of 
the safety property yields the eventual neighborhood discovery problem oNW. It 
requires that the safety of SNW be satisfied only in the suffix of a computation. 
That is oJ\fW allows the correct nodes to output incorrect information arbitrarily 
long before providing correct output. Observe that any solution to SMVV is also a 
solution to WAfW, and any solution to WAfW is also a solution to oNW. 

3 Impossibility of Standalone Solution to Neighborhood 
Discovery 

In this section we demonstrate that in the asynchronous system any correct node is 
incapable of discovering its neighborhood if a faulty node is present. The intuition 
for this result is as follows. Since a faulty node is not restricted in the number 
of messages that it generates, it can send an arbitrary number of announcements 
introducing fictitious nodes. The faulty node can then imitate arbitrary message 
traffic between these non-existent nodes. On its own, a correct node is not able to 
differentiate these fictitious nodes from the real ones. 

Theorem 1 In an asynchronous system, none of the three variants of the neigh- 
borhood discovery problem are deterministically solvable in the presence of a single 
Byzantine fault. 

Proof: We provide the proof for the eventual neighborhood discovery problem. 
Since this problem is the weakest of the three that we defined, the impossibility of 
its solution implies similar impossibility for the other two. 

Assume the opposite. Let A be a deterministic algorithm that solves oNW in 
the presence of a faulty node. Let us consider an arbitrary layout L\ that contains a 
faulty node /. Let us consider another layout L 2 containing / such that the neigh- 
borhood U\ in layout L\ of at least one correct node u differs from its neighborhood 
U 2 in L 2 and this difference includes at least one correct node. Without loss of 
generality we can assume that there exists a correct node v such that v £ U\ and 
v U 2 . 

We construct two computations of A: o\ on layout L\ and o 2 on layout L 2 . The 
construction proceeds by iteratively enlarging the prefixes of the two computations. 
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In each iteration, we consider the last state of the prefix of o\ constructed so far 
and find the action that was enabled for the longest number of consequent steps. If 
there are several such actions, we choose one arbitrarily. We attach the execution 
of this action to the prefix of o\ . If this action is a message transmission of a node 
w such that w G U±, we also attach the following action execution to the prefix of 
CJ2: node / sends exactly the same message as w in a\ with the TSS selected as 
T = T r \uf\ 2 /\uw\ 2 . Observe that u receives the same message and with the same 
RSS in this step of 02 as in the step added to o\. If the new action attached to 
o"i prefix is not by a node in U±, or it is not a message transmission, no action is 
attached to the prefix of a±. We perform similar operations to the prefix of 02- 

We continue this iterative process until maximal computations &\ and 02 are 
obtained. Observe that by construction, both computations are weakly fair compu- 
tations of A. Moreover, in both cases u receives exactly the same messages with 
exactly the same RSS. 

By assumption, A is a solution to oMW. According to the liveness property of 
the problem, o~\ has a suffix where u outputs its neighborhood in every state and, 
due to the liveness property, o~\ contains a suffix where u's neighborhood set contains 
all correct nodes. In layout L\ of a±, v is u's correct neighbor. Hence, v has to be 
included in this set. That is, there is a suffix of o~\ where u outputs a neighborhood 
set that contains v. However, u receives the same messages in 02- Since A is 
deterministic, u has to output exactly the same set in 02 as well. That is, 02 
contains a suffix where the neighborhood set also contains v. However, v is fictitious 
in layout L2 of 02- According to the safety property of oJ\fVV, every computation 
should contain a suffix where the neighborhood set of u excludes fictitious nodes. 
That is, o"2 of A violates the safety of oNW. Hence, our assumption that A is 
a solution to the weak neighborhood discovery problem is incorrect. The theorem 
follows. □ 



4 Abstract Universe Detectors 

Definitions. The negative result of Theorem Q] hinges on the ability of a faulty 
node to introduce an arbitrary number of fictitious nodes. A correct node cannot 
distinguish them from its real neighbors. Still, a correct node may be able to detect 
conflicts between nodes and separate them into universes. However, it needs help 
deciding which universe is real. This leads us to introduce the concept of a universe 
detector that enables the solution to the neighborhood discovery problem in the 
asynchronous computation model. A universe detector indicates to each correct 
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node which universe is real. It takes the universes collected by the node as input and 
outputs which universe contains only real nodes. That is, a universe detector points 
to the real universe. Note that the algorithm still has to collect the neighborhood 
information and separate them into universes such that at least one of them is real. 
If the algorithm does not provide a real universe, the detector does not help. 

Depending on the quality of the output, we define the following detector classes. 
For each node u, a strongly perfect universe detector SVU has the following prop- 
erties: 

completeness — if a computation contains a suffix where in every state, u outputs 
a real and complete universe, then this computation also contains a suffix where 
SVU at u points to it; 

accuracy — if SVU points to a universe, this universe is real and complete. 

The strongly perfect universe detector may be too restrictive or too difficult to 
implement. Unlike SVU, a weakly perfect universe detector WVU may point to a 
real universe even if it is not complete. That is, the definition of accuracy is relaxed 
to allow the detector to point to a real universe that is not complete. Note that 
WVU still satisfies the completeness property and has to eventually point to the 
real universe if it is available. A further relaxation of completeness and accuracy 
yields an eventually perfect universe detector oVU which satisfies both properties in 
a suffix of every computation. Observe that the relationship between these detector 
classes is as follows: SVU C WVU C oVU 

Observe that these universe detectors enable a trivial solution to the neighbor- 
hood discovery problems: each node composes a universe for every possible combina- 
tion of the nodes that claim to be in its neighborhood. Naturally, as the node receives 
announcements from all its correct neighbors, one of these universes is bound to be 
real and complete. Hence, the detector can point to it. However, such an approach 
essentially shifts the burden of separating fictitious and real nodes to the detector 
while we are interested in minimizing the detector's involvement. This leads us to 
introduce an additional property of the algorithms that we consider. An algorithm 
that solves the neighborhood discovery problem that uses detectors is conflict- aware 
if for each universe U of node u, if nodes v and w do not have a conflict and v 
belongs to U then w also belongs to U. That is, the algorithm does not gratuitously 
separate non-conflicting neighbors into different universes. In what follows we focus 
on conflict- aware solutions. 
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5 Necessary Node Density 

Theorem [1] demonstrates that to solve the neighborhood discovery problem, any 
algorithm requires outside help from a construct like a universe detector. However, 
the availability of a universe detector may not be sufficient. Faulty nodes may take 
advantage of a layout to announce a fictitious node without generating conflicts. 
Then, a correct node running a conflict aware algorithm never removes this ficti- 
tious node from the real universe. A universe detector then cannot point to such a 
universe. 

To illustrate the idea we start with a sequence of fictitious node placement ex- 
amples. 

5.1 Fictitious Nodes Placement Examples 

For this discussion we consider the neighborhood of a certain correct node u and a 
faulty node / that tries to compromise u's neighborhood discovery. We denote x, 
y, z — the correct nodes in the neighborhood of u that that are respectively first, 
second and third nearest to /. Note that to affect u, the faulty node / does not 
itself have to be the neighbor of u. Our analysis proceeds according to the number 
of correct receivers of messages sent by /. 

Single correct receiver. Refer to Figure [1] for illustration. Note that due to the 
broadcast nature of radio signal propagation, if any correct node receives a message 
sent by /, x also receives this message because it is closest to /. Therefore, the 
single correct receiver may only be x. Note, that for y to not receive the signal from 
/, the transmission signal strength should be sufficiently low. Recall that a correct 
node always broadcasts with pre-defined signal strength T r . Thus, to deceive x, f 
has to select the location of k and the TSS such that: (i) the RSS at x is the same 
as if k transmitted with T r and (ii) the RSS at y is below R m i n . For the received 
signal strength at y to be less than R m i n , k cannot be closer to x than \fy\. On 
the other hand, the location of k cannot be outside the range rt (or else x generates 
conflict) or outside the neighborhood distance d n (or else x ignores it). Thus, the 
possible location of k is a ring around x with the inner radius \fy\ and the outer 
radius — min(rt,d n ). 

Two correct receivers. If there are exactly two correct receivers, they are the 
two nodes x and y nearest to /. Assume that / makes two transmissions at signal 
strengths T\ and T2. For these transmissions, the RSS at x and y are R x ±, R y i and 
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Figure 1: Deception field with a single correct node x. 



Rx2, Ry2 respectively. From the signal attenuation in Formula Q] we obtain: 

\fy\ [R^ = [R^ 
\fx\ y R yl Y R y2 

That is, regardless of transmission power, the ratio of received signal strengths at 
x and y does not change. Hence, / may select the location of the fictitious node 
k such that it preserves this ratio. Such locations form an arc of a circle. Refer 
to Figure [2j The center of the circle lies on the line whose segment is (xy) . The 
radius of the circle is ba/(b — a) where b and a are the portions of (xy) such that 
b/a = This circle is the deception circle. Note that / may not be able 

to use all of the deception circle for fictitious node placement: to get both x and y 
to receive the signal without generating conflicts the points on the arc have to lie 
within min(rt,d n ) of both x and y. Moreover, similar to the single-receiver case, 
the portion of the arc that is closer to y than \fz\ cannot be used without z also 
receiving the message. 

More than two correct receivers. Note that if there are more than two correct 
receivers, they can be considered pairwise. Each pair of correct receivers forms 
its own deception circle. Note that k can only be placed at the intersection of all 
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area where / can place a 
fictitious node 




area where / can place 
a fictitious node 



Figure 2: Deception field with a two-node retinue. Correct nodes x and y receive 
transmissions of faulty node /, while z does not. 
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Figure 3: The location of a snare in case of multiple faulty nodes. The retinue of f\ 
is x and y. The retinue of fa is z. The intersection of deception fields produces area 
where a snare can be placed. 
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these circles. Note, however, that the circles intersect in the same place only if the 
recipients are co-linear. 

Snare. A faulty node may affect the correct nodes around it. A set Ef of correct 
nodes is the retinue of a faulty node / if the following holds: if a correct node u 
belongs to Ef, then every correct node v such that \vf \ < \uf\, also belongs to Ef. 
The faulty node is the leader of the retinue. For example, assume there are two faulty 
nodes f\ and f'2 and three correct nodes u, v and w such that \fiu\ < \fiv\ < \fiw\ 
and 1/2^1 < 1/2^1 < |/2w| ■ Refer to Figure[3]for illustration. All three correct nodes 
can be either in the retinue Ef\ of f\ or Ef 2 of fi- However, if v belongs of Efi, so 
does u, and if u belongs to Ef2, so do v and w. 

A deception field for a retinue of a faulty node / is the area such that for each 
point k of the field there exists a TSS that the leader of the retinue can use to 
transmit a message. The message so transmitted generates the RSS at each member 
of the retinue as if the message was sent from k with transmission strength T r . 
Intuitively, a deception field is the area where / can place fictitious nodes without 
generating conflicts at its retinue members. 

A point k in a neighborhood of a correct node u is a {simple) snare for u if there 
exists a set of faulty nodes and a retinue assignment for them such that: u is in one 
of the retinues and the intersection of the deception fields of the retinues includes 
k. Note that the nodes in range of k are either in the retinues or not. Intuitively, 
a snare is a point where faulty nodes can jointly place a fictitious node without 
generating explicit conflicts at any of the correct neighbors of u. Refer to Figure [3] 
for illustration. Note that some of the nodes may have implicit conflicts with k. 
That is, they are within range rt of k and u but not in one of the retinues. That is, 
they should receive a message from a node at k but they do not. Note that a snare 
transmission from faulty nodes may still generate conflicts outside the range of u. 
However, due to the locality assumption, u ignores this conflict. 

A point A; is a perfect snare for u if it is a snare and all nodes within the trans- 
mission range of u and k are in the retinues of the faulty nodes participating in 
the snare. That is, if faulty nodes broadcast in a perfect snare, neither explicit nor 
implicit conflicts are generated at the neighbors of u. 

Evaluating fault tolerance of a layout. To illustrate the concept of a snare, let 
us discuss a square grid layout (refer to Figure H|). Let s be the distance between 
the nodes in the grid. Note that for a node to have any neighbors, the neighborhood 
distance d n has to be no less than s. Let s < d n < For simplicity, let rt = d n . 

Then each node has exactly four neighbors. Note that the failure of a single node 
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Figure 4: The possibility of a snare in a grid layout with d n = 1.5s. 



RR n° 6529 



18 



A. Vora et al. 



creates a wedge-shaped deception field around the faulty node. Thus, with this 
distance the layout is not fault tolerant. 

Let us consider the case where ss/2 < d n < 2s and again rt = d n . In this 
case, the neighborhood can withstand a failure of exactly one node. Indeed, assume 
that a single node failed. Note that we have to consider the collusion of this faulty 
node with arbitrary faulty nodes outside the neighborhood. Let us focus on the 
neighborhood of node u§. For u§ to consider a fictitious node, the transmission of at 
least one faulty node has to reach u§. However, if a signal from a faulty node, either 
inside or outside the neighborhood of u§, reaches u§, then this signal is received by 
at least two more correct neighbors of U5. Moreover, the three correct nodes that 
receive this signal are non-collinear. This means that their pairwise deception circles 
intersect only in the sender itself. Thus, the neighborhood of u§ does not contain a 
snare. 

Let us determine if this grid layout can withstand simultaneous failure of two 
nodes in the same neighborhood. Let d n = rt be 1.5s. Suppose nodes u\ and U4 fail. 
The deception field of u\ with 112 in its retinue is a disk with outer circle radius 1.5s 
and inner — sy/2. That is, the outer disk is the range for correct nodes r t = d n and 
the inner is the distance to the next nearest node — U5 . A similar disk is a deception 
field of U4 for u§. The intersection of the two disks forms the area where a perfect 
snare for u§ may be located. To use the snare, u\ sends messages to 112, and 114 to 
U5 with the appropriate TSS pretending that the messages come from a fictitious 
node located in the snare. Thus, the grid layout with such d n cannot withstand a 
two-node failure. 

5.2 Necessary Node Density Condition 

Having described the required instruments, we now demonstrate that the availability 
of the universe detectors alone is not sufficient to enable a solution to any of the 
neighborhood discovery problems if the node layout is too sparse. That is, if the 
nodes are not properly positioned on the plane. 

To simplify the proof we consider solutions that are well-formed. An algorithm 
is well-formed if (i) the action that transmits announcement is always enabled until 
executed; (ii) the receipt of a message may enable either confirm or conflict, this 
action stays enabled until executed. 

Theorem 2 There is no conflict-aware well-formed deterministic solution to any of 
the neighborhood discovery problems despite the availability of the universe detectors 
if one of the considered layouts contains a perfect snare. 
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Proof: In the proof, we focus again on the weakest of the problems: the eventual 
neighborhood discovery. Assume the opposite: there is a conflict-aware well-formed 
algorithm A that uses a detector and solves the problem even though in one of the 
layouts Li, the neighborhood of a correct node u contains a perfect snare k. 

Consider a layout L2 that is identical to L\ except that there is a correct node 
at location k in L2. We construct a computation a 2 of A on L2 as follows. Faulty 
nodes do not send any messages in 02- We arrange the neighbors of u, including u 
itself, into an arbitrary sequence Q. We then build the prefix of 02 by iterating over 
this sequence. Since A is well-formed, each node in the sequence has announcement 
enabled. We add the action execution that transmits announcement to 02 in the 
order of nodes in Q. Since A is well- formed, these transmissions may enable confirm 
actions at the neighbors of u. Note that since v is correct, conflict actions are not 
enabled by these transmissions. We now iterate over the nodes in Q. For each node 
v we add the execution of these confirm actions at v to 02 in arbitrary fixed order, 
for example in the order that the original senders the appear in Q. We proceed 
in this manner until the sequence Q is exhausted. Note that these transmissions 
may potentially generate another round of confirm messages at the nodes in Q. We 
continue iterating over Q until no more messages are generated. We then complete 
a"2 by executing the actions of nodes in an arbitrary fair manner. Note that the 
remaining messages deal with the nodes outside u's neighborhood. Therefore, u 
ignores them. 

Now, the liveness property of all the detectors states that a detector points to 
a universe if it is output for a suffix of the computation. Since A is a solution of 
oMVV and 02 is a computation of A, 02 has to contain a suffix where u outputs a 
real universe in every state. Since k is a correct neighbor of u, k is included in the 
real universe. 

Recall that in layout L\, point A: is a perfect snare. This means that there is an 
arrangement of retinues and the TSS for the faulty nodes, such that when the faulty 
nodes transmit, each node in the neighborhood of u in the distance d from k receives 
a message with the same RSS as if a node at k broadcast with T^. Moreover, none 
of the nodes in the neighborhood of u detect conflicts. 

We construct a computation o~\ of A on layout L\ as follows. We iterate over 
the same sequence Q as in 02- Note that k is also present in the sequence even 
though it is fictitious in o\ . To build the prefix of o~\ we execute similar actions as 
for 02- The only difference is that when node k broadcasts in 02, in o~i we have the 
faulty nodes that constitute the snare broadcast at the appropriate TSS. Note that 
in the computation thus formed, the correct neighbors of u receive messages at the 
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same RSS and with the same content from the faulty nodes as in o<i from k. Thus, 
these transmissions do not generate conflicts. Observe that this means that node u 
receives the same messages with the same RSS, and in the same sequence in a\ and 
ex 2 • Since A is deterministic, u has to output the same universes in o\ and 02- Note 
also, that this means that u does not record conflicts. Since A is conflict aware, all 
u's universes of A include k together with the correct neighbors. 

However, k is a fictitious node in L\. This means that o\ contains a suffix where 
u does not output a real universe. According to the safety property of the detectors, 
none of them provides output in a suffix of u\ . Which means that A does not output 
a neighborhood set in a suffix of o\ . This violates the liveness property of a solution 
to oMDV . Therefore, our assumption that A is a solution to oNT>V is incorrect. 
The theorem follows. □ 



6 Necessary Transmission Range 

In this section we provide another required condition for the existence of a solu- 
tion to the neighborhood discovery problem. Essentially, if the nodes in the same 
neighborhood are out of range, the faulty node may introduce a conflict between 
them. This forces the algorithm to mistakenly split the correct nodes into separate 
universes and renders the failure detector powerless. 

Theorem 3 There is no conflict- aware deterministic solution for any of the neigh- 
borhood discovery problems despite the availability of universe detectors and lack of 
snares if the node transmission range rt is less than double the neighborhood distance 
d n - 

Proof: Consider the eventual neighborhood discovery and assume that there is 
an algorithm A that solves the problem in the presence of detectors on any layout 
without snares yet the transmission range of the correct nodes rt is less than 2d n . 
Consider the layout L\ where the neighborhood of a correct node u contains two 
nodes v and f\ as well as a point k with the following properties. Refer to Figure [5] 
for illustration. As usual, v is correct, f\ is faulty and there is no node at point k. 
Even though point k is in the neighborhood of u, it is out of range of v. That is, 
r t < \vk\. Recall that this is possible since, by assumption, r t < 2d n . Node f\ is 
such that \ufi\ = \uk\ and r t > \vfi\. The rest of the correct nodes in range of u are 
located such that, with the exception of v, k forms a perfect snare for u. That is, 
if /1 sends a message from a fictitious node k, the only node that generates conflict 
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Figure 5: Insufficient range for recognition of faulty node. Illustration to the proof 
of Theorem [3l 

is v. Certainly, with the presence of v, k is not a snare so the assumptions of the 
theorem apply. 

Consider that fx indeed sends announcement pretending to be a fictitious node 
at k. Nodes fx and k are equidistant from u. Thus, if f\ does not want u to detect a 
conflict, fx has to send the signal with the TSS of T r . However, with such TSS, v is 
in range of fx but out of range of k. This means that v receives the announcement 
ostensibly coming from k and detects a conflict. The RSS at v is cT r /\vfi\ 2 . Since 
A is a solution to the neighborhood discovery problem and v is the only node that 
is aware of the conflict, v has to send conflict to u which removes the fictitious node 
k from the real universe of u. 

Consider a different layout L2 (refer to Figure[5]) which is similar to Lx, only point 
k is occupied by a correct node and there is a faulty node fa near v. Specifically, 
the distance \vfa\ is such that there are no correct nodes within the following range 



l^/l I V Rmin 

This ensures that when fa is going to imitate node k, none of the nodes besides v 
receive the messages from fa. Note that fa and k still do not form a snare because 



of /a: 
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v is aware of the conflict. Note also, that such location of f 2 can always be found if 
the faulty node can be placed arbitrarily close to v. 

Assume that if the node k in L 2 sends a message, f 2 replicates this message with 
TSS 

T r \vf 2 \ 2 

\vfi\ 2 

Observe that in this case all nodes, including v and u, receive exactly the same 
messages as in layout L\. Since A is deterministic, the nodes have to act exactly 
as in the previous case. That is, v has to issue a conflict with the message of 
node k. However, after receiving this conflict, k is separated from u's real universe. 
Recall that k is correct in layout L 2 . Note that in this case k is never going to be 
added to the output of A at u. However, this violates the liveness property of the 
neighborhood discovery problem since k is a correct neighbor of u. Thus, A is not 
a solution to this problem as we initially assumed. □ 

7 The Sybil Attack Resilient Neighborhood Discovery 
Algorithm SAMV 

Our description of the algorithm proceeds as follows. We first motivate the need 
to frugally encode the universes to be passed to the universes detectors. We then 
describe the operation of the neighborhood detection algorithm itself. Then, we 
define the concrete implementations of the abstract detectors specified in Section SJ 
These concrete detectors should operate with our algorithm. On the basis of the 
algorithm and detector description we state the theorem of algorithm correctness 
and detector optimality. 

Encoding universes. Observe that a naive solution for representing universes by 
the algorithm results in an exponential number of universes. Indeed, assume that 
node u compiled a set of nodes U that do not conflict with two nodes v and w. 
Suppose now that u records a conflict between the two nodes. They thus have to 
be placed in separate universes: U U {v} and U U {w}. Let us consider another pair 
of conflicting nodes x and y that are different from v and w. Then, there are four 
possible universes: U U {vx}, U U {vy}, U U {wx], and U U {ivy}. Hence, if there 
are iV nodes in the neighborhood of u, the potential number of conflicting pairs is 
[iV/2j and the number of universes is 2^- N ^ 2 ^ . 

Therefore, our algorithm encodes the universes in the conflicts that are passed 
to the detector. That is, the algorithm passes a set of conflicts for the detector to 
generate the appropriate universe on its own. 
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Recall also that in an asynchronous radio network the receiving node can not 
distinguish one sender from another or decide if the two messages were sent by the 
same node. This task has to be handled by the detector. 

Algorithm description. We assume that the necessary conditions for the existence 
of a solution to the neighborhood discovery problem are satisfied: the layout does 
not contain a (simple) snare and transmission range is at least twice as large as the 
neighborhood distance d n . 

The SAMV algorithm operates as follows. Every message transmitted by the 
node contains its coordinates. Each node sends announce. After receiving an an- 
nounce, a node replies with a confirm message. Each confirm contains the infor- 
mation of the announcement. If a node receives a message whose coordinates do 
not match the received signal strength, the node replies with a conflict message. 
The conflict also contains the information of the message that generated the con- 
flict. Observe that confirm can only be generated by announce while conflict can be 
generated by an arbitrary message. Note that according to the locality assumption 
every node ignores messages from the nodes outside of its neighborhood distance d n . 

Each node u builds a message dependency directed graph DEP. For each confirm, 
u finds a matching announce; for each conflict — a matching message that caused 
the conflict. Note that this message dependence may not be unique. For example 
a faulty node may send a message identical to a message sent by a correct node. 
Since a node cannot differentiate senders in asynchronous radio networks, identical 
messages are merged in DEP. Note also, that a match may not be found because 
the faulty node may send a spurious conflict message or the conflict message is 
in reply to the faulty node message that u does not receive. Node u removes the 
unmatched message. Also, u removes the cycles and sinks of DEP that are not 
announce. Observe that DEP may grow indefinitely as faulty nodes can continue to 
send arbitrary messages. 

Due to no-snare and transmission range assumptions, for every correct process 
u the following is guaranteed about DEP: 

• Eventually, u receives an announcement from every correct node in its neigh- 
borhood. An announcement from each correct node will be confirmed by every 
correct node. There will be no messages from the correct nodes that conflict 
with any other messages from the correct nodes. 

• Eventually, every message from a fictitious node will be followed up by at least 
one conflict message sent by one of the correct nodes from the neighborhood 
of u. 
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Concrete universe detectors. We define the concrete detectors cSVIA, cWVU 
and ocVU as the detectors that accept the DEP provided by SAMD as input and 
whose output satisfies the specification of the corresponding abstract detectors de- 
scribed in Section [H That is, for each correct node u, cSVU only outputs complete 
and real universe, cWPU may output a real universe that is not complete, while 
ocVU may provide arbitrary output for a fixed number of computation states. How- 
ever, all three detectors eventually output the complete and real universe for u. 
Observe that the detectors have to comply with the specification even though DEP 
may grow infinitely large. 

In SAMD, each process u observes the output of the detector and immediately 
outputs the universe presented by the detector without further modification. By the 
construction of SAMD proves the following theorem. 

Theorem 4 Considering layouts without simple snares and assuming that the trans- 
mission range is at least twice as large as the neighborhood distance, the Sybil Attack 
Neighborhood Detection Algorithm SAND provides a conflict- aware deterministic 
solution to the Neighborhood Discovery Problem as follows: SMDV if cSVU detec- 
tor is used; WMDV if cWPU is used; and oMDV if ocVU is used. 

Similar to Chandra et al [3] we can introduce the concept of a weakest universe 
detector needed to solve a certain problem. A universe detector U is the weakest 
detector required to solve a problem V if the following two properties hold: 

• there is an algorithm A that uses IA to solve V; 

• there is another algorithm B that uses the input of an arbitrary solution S of 
V to implement U. 

That is, B uses the output of S and provides the computations expected of U. The 
intuition is that if any solution can be used to implement U, then every solution 
needs the strength of at least U. Hence, the idea that U is the weakest detector. 

Observe that SAND provides the solutions using these detectors to the respec- 
tive problems. Note also that the outputs of the neighborhood discovery problems 
that we defined SMDV, WMDV and oMDV can be used as the respective universe 
detectors SVU, WPU and oVU. For example, if a process u in SMDV outputs its 
neighborhood set, this neighborhood set can be used to point to the real universe. 
Hence the following proposition. 

Proposition 1 Concrete universe detectors cSVU, cWVU and ocVU are the weak- 
est detectors required to solve SMDV, WMDV and oMDV respectively. 



INRIA 



Universe Detectors for Sybil Defense 



25 



8 Detector Implementation and Future Research 

Detector implementation. According to Theorem [IJ the universe detectors em- 
ployed by our solution to the neighborhood discovery problem are not themselves 
implementable in asynchronous systems. The actual implementation of the detec- 
tors can depend on the particular properties of the application. Here are a few 
possible ways of constructing the detectors. The nodes may be aware of the bounds 
on faulty nodes speed. That is, the detectors will know the maximum number of 
fictitious nodes they have to deal with. The nodes may contain some topological 
knowledge of the network. For example, the nodes may know that the network is a 
grid. Alternatively, the nodes may have secure communication with several trusted 
neighbors to ensure their presence in the selected universe. 

Future research. We conclude the paper by outlining several interesting areas of 
research that our study suggests. Even though the concrete detectors we describe 
in the paper are minimal from the application perspective, it is unclear if the input 
that SAND provides is optimal. That is, is there any other information that can be 
gathered in the asynchronous model that can help the detector decide if a certain 
universe is real. We suspect that SAND provides the maximum possible information 
but we would like to rigorously prove it. 

In this study, we assume completely reliable communication within a certain 
radius of the transmitting node R m in- However, in practice the propagation patterns 
of low-power wireless radios used in sensor and other ad hoc networks are highly 
irregular. See for example Zhou et al [28]. The problem of adapting a more realistic 
communication model is left open. 

Another question is the true relationship between the universe and fault detec- 
tors. Observe that unlike fault detectors, the universe detectors require additional 
layout properties to enable the solution to the neighborhood discovery. It would 
be interesting to research if there is a complete analogue to fault detectors for this 
problem. 
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